Monitor, alert, and discover sensitive data in your code for each merge request. Get instant feedback on any change you make in a merge request. Spectral Bot can be installed directly on organizations, user accounts, groups and grant access to specific Projects.
|SELF_HOSTED_GITLAB_DOMAIN||No||if you're running a self-hosted Gitlab provide the domain here. eg. https://my-gitlab-domain.com|
|STRICT_MODE||No||If set to true, check status is based on all issues found in the modified files (even if the issues are old)|
|SPECTRAL_TAGS||No||Tags list to run Spectral with, separated by commas (eg base,iac,audit).|
|SPECTRAL_ENGINES||No||Engines list to run Spectral with, separated by commas (eg secrets,iac,oss). Default is 'secrets'|
|SPECTRAL_DSN||No||Your Spectral DSN retrieved from SpectralOps (leave blank if you are using vault)|
|GITLAB_WEBHOOK_SECRET||No||Any strong secret would be fine (leave blank if you are using vault)|
|GITLAB_TOKEN||No||Generate it in your Gitlab profile -> Access Tokens, check the "api" scope (leave blank if you are using vault)|
|SECRETS_VAULT||No||The vault you're storing your secrets in. Currently only supports |
Instead of storing your secrets directly on the configuration of your Lambda, it is recommended for you to use a vault instead.
In order to use a vault, it is needed to set another environment variable called
SECRETS_VAULT which contains the type of the vault you are using.
- AWS secrets manager -
Currently, we are supporting AWS secret manager, but in the future we are planning to support more vaults.
In your vault, make sure you set the following 3 secrets in your vault:
If you are deploying using
Terraform, notice that the role created for the lambdas would give permission to perform
secretsmanager:GetSecretValue action only for those 3 secrets.
Deploy using one of the following methods:
Deploy AWS resources using our Terraform module (set the
integration_type param value to gitlab).
Go to our DockerHub repo for the Gitlab scanner and follow instructions.
./create_webhooks -t GITLAB_TOKEN -u LAMBDA_FULL_URL -s WEBHOOK_SECRET -g GROUP_ID
This will setup webhooks for the projects under the group GROUP_ID (recursively). Look at
./create_webhooks -h for usage.
It is highly recommended monitoring the bot errors. It can be done easily if the bot is hosted using AWS lambda through CloudWatch alarms.
To create an alarm do the following:
- In Cloudwatch, click on
Create Alarm, and then
- Select the
Errorsmetric for the lambda and click on
- Set the statistic to be
Sumand select the required period for the threshold measuring.
- Under conditions, choose
Greater, and set the threshold value to at least 1. Click
- Insert to Emails be to be alarmed. Click
Next, name the alarm and click
- Go over the summary, and if everything makes sense to you - click OK.
Now merge requests for all the projects you selected are protected by Spectral. Any issues found will be written as a note on the MR.
Updated 8 days ago